A Business/Organization/Institution is responsible for the Private Information they collect. Only collect sensitive personal identifying information that has a legitimate business need. Then only keep it for as long as you need it.

Social Security Numbers should only be used for required and lawful purposes – like taxes. Never use all or part of a SSN as an employee or customer ID number. Losing your employees’ SSN to identity thieves will destroy morale and productivity.

Credit Card and Debit Card numbers need to be truncated to no more than the last 5 digits on electronically printed receipts. The expiration date cannot be printed on the receipt. If you must use impression paper receipts, those old slide over the card machines with 3 part carbons, destroy the carbons and mark-out all but the last 5 digits of the CC number and expiration date on the customer’s receipt.

Do not keep customer credit card information unless you have a very good reason – monthly billing for example. Keeping the number, expiration date and CVV code increases your risk being the source of credit card fraud. You could end up liable for 5, 6 or 7 figure fees and judgments. Yes I said over a million dollars.

Make sure you are PCI-DSS compliant. The Payment Card Industry Data Security Standard was created to increase controls around cardholder data to reduce credit card fraud. Your Card Processing company is charging you a monthly fee, if you are not compliant.

A written policy needs to be created identifying what information is kept, how it is secured, how long it is kept and the method of disposal.

Don’t collect it if you don’t need it. If you need it protect it.

Share this:

Like this:

LikeLoading...

Related

About Bruce Demarest

Bruce Demarest is a Identity Theft Protection Specialist. He has designed and taught classes to educate individuals and businesses in identity theft risk management.
The individuals have learned how to continuously monitor their financial identities from credit fraud, plus how to monitor their personal identifying information for unauthorized use.
His business clients have become compliant with the federal & state privacy laws. He has conducted information security audits to identify their potential problems and has designed security policies, programs, and practices to address those problem areas.